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Abstract 

Generalizing a method of Sutherland and the author for elliptic curves 
[M El i we design a subexponential algorithm for computing the endomor- 
1 phism ring structure of ordinary abelian varieties of dimension two over 

, finite fields. Although its correctness and complexity bound rely on sev- 

eral assumptions, we report on practical computations showing that it 
performs very well and can easily handle previously intractable cases. 

Note. Certain results of this paper previously appeared in the author's 
thesis Ql . 

1 Introduction 

Let A be an absolutely simple abelian variety of dimension g denned over a 
field with q elements; its Frobenius endomorphism n admits a monic character- 
istic polynomial x-x G 2[t] of which the 2g complex roots have absolute value 
y/q. Pila [24| proved that this polynomial can be computed in time polynomial 
in log(g). In the generic case where A is ordinary, \-n is irreducible and the en- 
domorphisms of A form a discrete subring of maximal rank (an order) End (.4) 
of Q(ir) that is unchanged by base field extensions. 

Tate [1^1 showed that Xtt not only encodes the cardinality of A over extension 
fields but also uniquely identifies its isogeny class. The endomorphism ring 
structure of an abelian variety is a finer invariant than \^ which is better suited 
to isogeny-related problems such as those considered in [lq| and has also found 
constructive applications to cryptography, for instance in [27] . 

Kohel [13] first addressed the computation of this structure and obtained 
an exponential method for ordinary elliptic curves. It was recently improved 
by Sutherland and the author [B[ yielding an algorithm with subexponential 
complexity under heuristic assumptions that were later proved to hold under 
the generalized Riemann hypothesis [l]. Although Kohel's method does not 
extend to dimensions g > 1 [7|, Example 8.3], other ex pon ential methods exist 
for arbitrary g, namely those of Eisentrager and Lauter |13T| . and of Wagner [29j |. 

This paper generalizes the techniques of [5, 1] to ordinary abelian varieties of 
dimension g = 2 and obtains the first subexponential algorithm for computing 
their endomorphism rings; its asymptotic complexity is 

L ( g )s 2 v / 3/2+o(i) where L(g) = exp Vlog(g) • loglog(g) 

as q goes to infinity. We stress that both its correctness and complexity bound 
rely on heuristic assumptions besides the generalized Riemann hypothesis, and 
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require the exclusion of a zero-density set of worst-case varieties. In practice, we 
find that our algorithm performs very well on examples of moderate size. When 
relevant, we avoid specializing the variable g to 2 in our complexity estimates, as 
they would also hold for g > 2 if certain tasks turned out to be computationally 
feasible; see Section [6] 

Section [5] discusses the relation between isogenies and endomorphism rings 
on which our algorithm, outlined in Section |31 is based. Sections 0] and [5] then 
explain how short relations are generated and corresponding isogenies evaluated. 
Heuristic assumptions and worst cases are reviewed in Section [51 while practical 
runtimes are reported in Section [7] 

2 Isogenies and Endomorphism Rings 

We assume some familiarity with abelian varieties, isogenies, and endomor- 
phism rings; we refer to [ToL Chapter V] for background material and to [25j j for 
complex multiplication. 

Consider again an absolutely simple, ordinary abelian variety A of dimension 
g defined over a field with q elements, and fix an isomorphism of its endomor- 
phism algebra Q(ir) — Q<E)End(A) with a number field K; this field is called the 
complex multiplication field of A and is a totally imaginary quadratic extension 
of a totally real number field K of degree g. Waterhouse [30j showed that the 
endomorphism rings of abelian varieties isogenous to A are exactly those orders 
of K that contain Z[7r,7f], where 7f = q/ir; they form a finite lattice (in the 
set-theoretic sense of the word) with supremum the ring of integers Ok- 

Following Fouquet and Morain we say that an isogeny <j) : A — > B is 
horizontal when End(.A) and End(S) are the same order in K, and vertical 
otherwise. In a sense, horizontal isogenies are the prevalent case. 

Lemma 2.1. // 4> : A — > B is an isogeny with kernel isomorphic to {TLjPL) 9 , 
the index [End(.A) + End(S) : End(.4) n End(S)], which we call the distance 
between the orders End(*4) and End(£>), is a divisor of l 2g ~ l . 

Proof. Since 4> splits the multiplication-by-£ map, we have £End(„4) C End(S) 
and, the latter being an order, we further have Z + £End(_4) C End(i3); we thus 
obtain the lattice of Figure [1] As they are indices of the form [O : Z + IG] , the 
products bed, ace, and cde are all equal to f 29 " 1 which implies bed ■ ace/cde = 
l 2 ^- 1 and finally oh = l 2 3- l /c. ' □ 

The distance between the endomorphism rings of isogenous abelian varieties 
necessarily divides the index [Ok ■ Z[7r,7f]]; vertical isogenies thus only exist 
for finitely many primes I. On the other hand, horizontal isogenies occur for a 
positive density of primes I, which follows from the following result. 

Theorem 2.2 f [25l §7], [30j, §7]). For every ideal o of End(_4), denote by 4> a 
the quotient isogeny 

A — -> A/ p| ker(a). 

// a is invertible and coprime to the characteristic, <f) a is a horizontal isogeny of 
degree N^/q(o) and all such isogenies arise in that way; this induces a free and 
transitive action of cl(End(^4)) on the isogeny class of A up to isomorphisms. 
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End(A) + End(S) 




End(A) End(B) 




End(^) D End(£) 



Z + ^End(^) +^End(6) 




Z + ^End(.4) Z + ^End(S) 




Z + £End{A) n£End(B) 

Figure 1: Lattice of orders for an isogeny A — > B of kernel (Z/ll) 9 . 

However, isogenies cannot be computed efficiently unless abelian varieties 
are equipped with polarizations, which this theorem disregards. From now on, 
we will therefore assume that A is endowed with a principal polarization, and 
require that morphisms preserve this extra structure; this implies that End (.4) 
is stable under complex conjugation. To state an equivalent to Theorem 12.21 in 
this setting, we need a slightly different type of class group: 

Definition 2.3. For any order O in a complex multiplication field K , denote 
by Iq the group consisting of all pairs (a, p) satisfying aa = pO, where a is 
an invertible fractional ideal of O and p is a totally positive element of Kq, 
endowed with component-wise multiplication; also, let Pq be its subgroup formed 
by pairs of the form (fxO, [ipZ) for p 6 K. The quotient group Io/Po * s called 
the polarized class group of O and is denoted by 

Note that this group is unchanged if we additionally require that a (and /i) 
be coprime to a fixed integer v; from now on, it will be understood that we 
exclusively consider class representatives of this type with v = disc(Z[7r, 7f]). By 
the following theorem, such elements correspond to horizontal isogenies that 
preserve the polarization. 

Theorem 2.4 ( 25, §14]). Provided that End(A) is maximal, one can associate 
a horizontal isogeny of degree N^q(o) to every (a, p) £ ^End(^i); where a is 
coprime to the characteristic, so as to induce a free action o/ £(End(_4)) on the 
isogeny class of A up to isomorphisms. 

For elliptic curves, this result coincides with Theorem 12.21 due to the unique- 
ness of principal polarizations, and thus holds for non-maximal endomorphism 
rings as well. It is also believed to hold for general endomorphism rings in 
higher dimension, and we will assume that it does; see Section [B] for details on 
the extent of our assumptions. 



3 



3 Locating Endomorphism Rings 



Our main idea to compute the endomorphism ring of A originates from 
5] and consists in locating it in the lattice of orders of K containing Z[7r,7F] 
by comparing the structure of the graph of horizontal isogenies with that of 
polarized class groups of candidate rings. Sections H] and [5] describe this and 
obtain the result below under the assumptions of Section |6l namely g — 2, 
certain heuristics, and the exclusion of a zero-density set of varieties. 

Proposition 3.1. Subject to the restrictions listed in Section® Algorithm \5.4\ 

determines whether End(.A) contains a prescribed order O with negligible error 
probability using an expected 

L{\Aisc{0)\) 9 ^ /2+o{1) 

operations in the base field. 

This enables us to test whether End(.A) = Ok in subexponential time, a par- 
ticular case that was deemed sufficient for early complex multiplication methods 
in dimension two [l5j |. Nevertheless, to compute the endomorphism ring entirely 
(as newer methods require [Tij^). we must first bound the number of orders con- 
taining Z[7r,7r] and their discriminants. 

Lemma 3.2. We have: 

|disc(Z[7r,7f])| < A3( 2 s-i) q 3 2 ^ 

[O k ■■ Z[7r,7f]] < 2S( 2 9-V 2/2 - 

Proof. All 2g complex roots of x-k have absolute value y/q, so we have | disc(x-n-) | < 
(2 x /q) 2 3( 2 9' 1 ) . The bounds then follow from the classical relation [O : O'} 2 = 
disc(C>')/disc(e>) and, for the first one, the identity [Z[tt,7F] : Z[tt]] = q^- 1 )/ 2 
and, for the second one, the triviality | disc(0K")| > 1. □ 

These bounds are nearly tight so there might be exponentially many candi- 
date endomorphism rings; to efficiently locate End(_4) among them, wc perform 
an n-ary search in the lattice of orders using the following algorithm borrowed 
from 

Algorithm 3.3. 

Input: An absolutely simple, ordinary, principally polarized abelian variety A 
of dimension g defined over a field with q elements. 
Output: The endomorphism ring of A. 

1. Compute the Frobenius polynomial Xtt of A. 

2. Factor its discriminant and construct the order O' = Z[7T, tt]. 

3. For orders O directly above O' : 

4. IfOc End(-A), set O' <- O and go to Step 3. 

5. Return O' . 

By directly above, we mean that O contains O' and no order lies strictly 
between them; the distance between two such orders necessarily divides £ 2ff_1 
for some prime factor I of [Ok ■ Z[7r,7f]], since O' must then contain Z + iO. 
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For Step 2, we use the unconditional factoring method of Lenstra and Pomer- 
ance [20j] ; its complexity is L(\ disc(x Tr )|) 1+o(1) , that i^at most L(q) 9s/li+o{1 \ Al- 
ternatively, one may rely on the number field sieve [19( which has a heuristically 
better runtime. 

Theorem 3.4. Subject to the restrictions listed in Section® the expected run- 
ning time of Alaorithm \3.3\ is bounded by 

Proof. Section [6. II will show that enumerating the orders directly above a given 
one can almost always be done in negligible time compared to the overall com- 
plexity. The bottleneck of our algorithm is thus Step 4, which by Proposition ^. II 
uses L(\ disc(Z[-7r, 7f])|)9 v/ 3/ 2 +°( 1 ) operations. Using Lemma [3.21 we may there- 
fore bound the total complexity by L(q) g2 ^/ 2+ °^ . □ 



4 Evaluating Isogenies 

The next section will establish Proposition 13.11 by exploiting Theorem 12.41 
to compare O to End(_4), we will compare the structures of their polarized class 
groups by testing whether trivial products in yield isogeny chains mapping 
A to isomorphic varieties. This only requires us to compute isogenous varieties 
4> a (A) for given elements a G Io, not to actually evaluate the isogenies 4>a and 
push points of A through them; however, there is currently no way of doing the 
former more efficiently than the latter. 

In fact, evaluating isogenies in dimension g > 1 became feasible only recently 



due to the work of Lubicz and Robert [22j implemented in the AVIsogenies li- 



brary [3J. At the time of this writing, only isogenies with maximal isotropic 
kernel of degree coprime to the characteristic may be evaluated 
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more pre- 
cisely, we have the following result (see [ll|, Theorem 1.2] for a more explicit 
statement specialized to g = 2): 

Proposition 4.1. Let % be a given isotropic subgroup isomorphic to (jLj£7L) 9 
of an abelian variety of dimension g. The separable isogeny with kernel 1-L can 
be evaluated with a worst-case complexity of £ 3 3+°W operations in the base field. 

Prior to evaluating an isogeny, we must identify its kernel % as corresponding 
to a given element (o, £) of the polarized class group £(Z[7r,7r]). Assuming that 
a is a prime above some I <E Z, and writing it as lO + /(7r)C for some factor / 
of x?r mod £, we can take H to be the subgroup of A[i] on which the Frobenius 
acts with characteristic polynomial /; it is unique since we restrict to ideals o 
coprime to v = disc(Z[7r, 7f]). In effect, this identification fixes an isomorphism 
between Q <£> End(„4) and the complex multiplication field K (mapping a fixed 
root of Xir to the Frobenius endomorphism) as was required in Section [21 and it 
only matters that this be done consistently within a given isogeny class. 

Points of T~L are defined over an extension field whose degree is the multi- 
plicative order of x in Z[x]/(f)/(£), that is, at most Nrvq(ci) — 1. Over that 
extension, assuming that points of A can be drawn uniformly at random in an ef- 
ficient manner, the ^-torsion subgroup of A can be computed using an algorithm 



of Couveignes [12J, §8]. 
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Once the isogenous abelian variety has been computed, we must find a repre- 
sentative of its isomorphism class over the base field, so that this process can be 
iterated. When g — 2, abelian varieties can be represented as Jacobian varieties 
of hyperelliptic curves, which allows us to efficiently draw points uniformly at 
random as well as to exploit the theory of invariants and Mestre's algorithm [23| 
in order to find representatives of isomorphism classes defined over the smallest 
possible field (that is, the field of definition of %). 

In dimension g > 3, where only general representations of abelian varieties 
are available (such as those given by theta functions), there is to the best of 
our knowledge no efficient method to draw points uniformly at random or to 
find representatives of isomorphism classes defined over minimal fields. When 
g = 3, abelian varieties can still be represented as Jacobian varieties of algebraic 
curves, which gives a solution to the first problem, and we note that recent work 
such as comes close to solving the second one. 



5 Generating Short Relations 

To determine whether a given order O is contained in the endomorphism 
ring of A, we generalize the approach of [jj [l|. It rests on Theorem l2.4l and the 
simple result below. 

Lemma 5.1. For any two orders O C O' containing Z[tt,W], the map (a,p) £ 
Iq — > (oC',/9) G Iqi induces a natural morphism of polarized class groups 
£(C) — > €{0'): this morphism is surjective when restricted and corestricted 
to elements such that p £E Q. 

Denote by €!(0) the subgroup of £(C) formed by elements whose p are 
rationals. Now, define a relation as a tuple (ai , . . . , a^) of elements of £'(Z[7r, 7f]), 
say that it holds in O if the product ax ■ • • cx-k is trivial in €.(0) through the map 
of the above lemma, and that it holds in A if the corresponding isogeny chain 
<j) ai o • • • o Qfc maps A to an isomorphic abelian variety. By Theorem 12.41 if 
every relation that holds in O also does in A, the group C(End(.4)) must be a 
quotient of C(O), which is almost always equivalent to O C End(_4) as we will 
see in Section 15721 

The computation of class groups of algebraic orders is a classical topic that 
has led to the development of fast algorithms for generating ideal relations. How- 
ever, our requirement that corresponding isogenies be efficiently computable 
places two additional constraints: 

• Elements (ai) of our relations must correspond to maximal isotropic iso- 
genies. 

• Their number k and norms (^K/(}( a i)) must be bounded. 

The latter constraint is already addressed in [l|, §6] whose results and proofs 
carry directly over to arbitrary dimension; we now explain how to additionally 
satisfy the former. 

Let $ be a type for K, that is, a set of representatives for embeddings of K 
into its normal closure K c up to complex conjugation. Its type norm 

N$ : x i — > Y[ <t>{%) 

06* 



G 




Figure 2: The complex multiplication field, its reflex field, and type norm maps. 



maps K to its reflex field K r , the fixed field of {a £ G&l(K°/Q) : cr$ = $}, 
and induces a morphism taking ideals a of K to elements (N$(ft), N^-/q(o)) 
of <t(O r ) for any order O r of K r with discriminant coprime to v. Types of 
absolutely simple abelian varieties are primitive, which implies that K rr = K; 
hence the type norm of the reflex type $ r , the restriction to K r of inverses of 
automorphisms of K c induced by $, or reflex type norm, maps ideals of K r to 
<t(0) for any order O containing Z[tv,W]. See Figure^ 

The image of N$r in only contains elements for which the corresponding 
isogenies can be computed via Proposition ^. II Therefore, to generate relations 
of O as efficiently as evaluating the corresponding isogeny chains, we first gen- 
erate tuples of ideals (cu) whose product is principal in O using the method of 
Buchmann [8| as modified in P, §6], and then use the relation (N$r N$(Oj)), 
whose total norm is J2^K/(}(^i) 9 ■ Formally, this gives: 

Algorithm 5.2. 

Input: An order O and a parameter 7 > 0. 
Output: A relation holding in O whose associated isogeny can be computed efficiently. 

1. Form the set 58 of prime ideals p of O with norm less than N — L(A) 7 . 

2. Draw a vector x £ Z* 8 uniformly at random with coordinates 

\x p \ < log(A) 4+e when N K /q(p) < log(A) 2+£ and x p = otherwise. 

3. Compute the reduced ideal representative a ofY[p Xf - 
4- If a factors over *B as Yl P Vf •' 

5. Return the relation containing N$r(N$(p)) with multiplicity x p — y p for p £ < B. 

6. Go back to Step 2. 

For details on Step 4 (and more generally on computing ideal relations in 
number fields), we refer to [£}. From Theorem 3.1], we obtain: 

Proposition 5.3. Assuming that reduced ideals are as smooth as random inte- 
gers, this algorithm generates a relation with total norm L(A)ff 2 T+°W in expected 
time ^(A)^ 1 ) + L(A) 1 /(47)+o(i). 

The relations we so obtain form only a sublattice of all relations of <£(0); 
nevertheless, Section ROl will show that they suffice to uniquely characterize O 
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from other orders containing Z[tt,W] except locally at small primes and except 
for a zero-density set of Weil numbers tt. Similarly to [l|, §6], one can prove that 
those relations are quasi-uniformly distributed in this sublattice, so that log(g) 
of them suffice to identify O with error probability at most 1/q. 

To balance the cost of Algorithm 15.21 with that of evaluating corresponding 
isogenies via Proposition ^. 1[ we set 7 = l/(2g^/3). The proof of Proposition ^, ll 
can now be concluded with the following algorithm. 

Algorithm 5.4. 

Input: An absolutely simple, ordinary, principally polarized abelian variety A 
of dimension g defined over ¥ q and an order O containing Z[7r, tt]. 
Output: Whether O C End (.A). 

1. Repeat log(g) times: 

2. Find a relation (a\, . . . ,ctk) of <t(0) using Alaorithm \5.2i 

3. If (f> ai o • • ■ o <j) ak does not map A to an isomorphic variety, return false. 

4. Return whether O C End(A) locally at small primes (see next section). 



Note. Rather than generating independent relations for each order O of the 
lattice to be tested, one might be tempted to first compute the full class group 
structure of the maximal order Ok and then deduce relations of smaller orders 
O via the exact sequence: 

1 -> O x -> O k -> (0x/f) x /(0/f) x -> Pic(O) -> Pic(C K ) -> 1 

where f is the conductor of O, that is, the largest ideal of both O and Ok- This 
has two disadvantages: first, computing class groups is much more expensive 
than generating just log(<7) relations; second, the relations of O given directly 
by the exact sequence above grow linearly in the index [Ok ■ O], and deriving 
subexponential-size relations requires using an algorithm similar to 15.21 anyway. 



6 Assumptions and Worst Cases 

Throughout this paper, we have made the following assumptions: 

(1) Theorem \2.4\ holds for non-maximal orders. (Section^) 

(2) Orders directly above a given one can be enumerated in subexponential 
time. (Section [3]) 

(3) Isogenies A — > A/a can effectively be evaluated over the base field. (Sec- 
tion m 

(4) No two orders have the same polarized class group structure. (Section [5]) 

(5) Reduced ideals are as likely to be smooth as integers of comparable size. 
(Section 

We have seen in Section @] that Assumption (3) is satisfied when g = 2, and 
we restrict to this case. Assumptions (1) and (5) are well-established heuristics 
which we gladly accept. Assumptions (2) and (4) do not hold in general but 
we will now show that they do outside of a zero-density set of abelian varieties 
A/¥ q of fixed genus g, as q goes to infinity. 
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6.1 Enumerating orders 



The lattice of orders containing Z[7r,7r] typically consists entirely of orders 
that are either minimal or maximal locally at large primes £; indeed, integers 
v = [Ok ■ Z[7r, 7f]] are not likely to be divisible by squares of large primes. More 
precisely, for any r > 0, we have 

# {v e {1, . . . ,n} : 3£ e V >L(n y, f\v) < Yl T*-Ilnv> 

which is negligible compared to n as it goes to infinity; therefore, assuming that v 
has similar divisibility properties to random integers less than 
(as per Lemma 13. 2p , only a zero-density set of abelian varieties of dimension 
g over ¥ q have lattices of orders that, locally at some prime £ > L(n) T , have 
height greater than 1. 

Discarding that set, there is only one order directly above (resp. below) any 
given one locally at large primes £, and they can be found using a Grobner basis 
algorithm [2|, §iii.2.3] in time subexponential in log(q). Locally at primes £ < 
L(n) T , we resort to the much more direct method of enumerating all subgroups 
of jO/O and selecting those which are orders; this takes time polynomial in 
£, that is, subexponential in log(g), and we select r small enough so that this 
complexity is negligible compared to our overall complexity bound. 



6.2 Orders with identical class group structure 

To compute endomorphism rings locally at small primes £, we rely on the 
direct method of Eisentrager and Lauter [13], §6.5], which uses £ 2 9 v +°( 1 ) opera- 
tions in the base field, where v is the valuation of [Ok '■ Z[7r,7f]] at £. As above, 
to ensure that this cost is negligible relative to our overall complexity bound, 
we make r > small enough and omit the zero-density set of abelian varieties 
for which this index is divisible by a power greater than L(q) T of a prime less 
than L(q) T . 

Consequently, we only need to show that the set of relations generated by 
Algorithm 15.21 (that is, the image through the map N$.- N$ of the set po of 
ideals of Z[7r,7f] that are principal in O) discriminates O from other orders of 
the lattice locally at every prime £ > L{q) T , and we may assume that such 
primes £ only divide the index [Ok ■ Z[7T, W]] with multiplicity 1. To establish 
this, let O' be another order containing Z[7r,7f] such that N$rN$(po) c Po> 



where Pq 1 is as in Definition 12.31 From 26|, Lemma 1.8.4], we have the identity 



N r N$((i) =N K/Q (a) a/a 

from which it follows that the square of any element (a, a) S Po is principal if 
and only if N$r N$(a) is. Therefore, N$r N$(pe>) C Po> implies P^ C Po' an d 
hence 

ker(£(C°) ->■ <L{0)) 2 C ker(£(0°) ->■ £(C)) 

where 0° = O n O' . Since, locally at all primes £ > L(q) T , cither O = O' or 
one of them is maximal, we may apply [4, Theorem 5.1] which establishes that 
O C O' except possibly if £ divides M ■ N^/q disc(K/K ) where M is a fixed 
integer. We thus discard yet another zero-density set of abelian varieties, namely 
those for which M ■ N^ /q &\sc(K / Kq) and [Ok '■ Z[7r, 7f]] have a common prime 
factor greater than L(q) T . See 0] for details. 
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6.3 Certifying the result 

As an aside, let us describe how one may certify the output endomorphism 
ring O under Assumption (1), using relations that discriminate O from other 
orders of the lattice. 

Definition 6.1. A certificate for an order O consists of: 

• a family of orders Oi and relations that hold in Oi but not in O , 

• a family of orders Oj and relations rj that hold in O but not in Oj , 

such that O is the only order containing Z[7r,7f] satisfying Oi <f_ O and Oj 7$ O 
for all i and j . 

As a direct consequence of Theorcm l2.4l the endomorphism ring of an abelian 
variety A with Frobenius endomorphism tt is O if and only if the isogenies cor- 
responding to the rj 's map A to isomorphic varieties while those corresponding 
to the r-j's do not. In practice, the Oi's can be chosen to be all orders considered 
in Step 3 of Algorithm 13.31 found not to be contained in O = End(_4) and the 
Oj's to be all orders directly below O. 

When two orders O and O' cannot be distinguished using relations, the 
same technique can be used except locally at prime factors of [O + O' : O fl O'] ; 
the verification process then takes on the additional burden of verifying the 
endomorphism ring locally at those primes. Since they are almost always small, 
the associated cost is asymptotically negligible; therefore, by Propositions 14.11 
and EH h takes L( 9 )»t+°(i) + L( 9 )9/( 4 t)+°(i) time to generate a certificate that 
can subsequently be verified in L(q) 3g t+°M operations, for any 7 > 0. 

7 Practical Computations 

We give two examples illustrating different patterns for the index v — [Ok ■ 
Z[7r,7f]]. Previous algorithms |13l |29| compute endomorphism rings efficiently 
when A[£ n ] remains defined over small extension fields as £ n ranges through 
prime-power factors of v, while ours performs well as soon as no order directly 
above Z[tt,W] has an overly large discriminant. 

Computations reported here were performed by a straightforward Magma 
Q implementation using the AVIsogenies library Q and running on one Intel 
i7-2620M core. 

7.1 Example with nearly prime v 

Let us first consider a very favorable case where v is both large and nearly 
prime, that of the Jacobian variety A of the hyperelliptic curve with equation 

y 2 = x b + 523747a; 4 + 306186x 3 + 744660a; 2 + 415524a; + 261884 

over the field with q = 1250407 elements; its Frobenius endomorphism ir admits 
the characteristic polynomial z 4 + 1251z 3 + 1772074z 2 + 1251gz + q 2 from which 
one can derive that Z[7r,7r] is an order of index v = 2 ■ 538259 in the ring of 
integers of K = Q(7r). 
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We start by computing End(_4) locally at 2, that is, determining whether it 
contains the order in which Z[7r,7f] has index 2; this order is generated by 7r and 
a/ (2q) where 

a = 417(7 + 1346084914086tt + 497115559392tt 2 + tt 3 . 

To determine whether a/(2q) belongs to End(A) or, equivalently, whether a/2 
does (as q is coprime to v), we use the method of Eisentrager and Lauter [1 31 ) : it 
takes 102ms to determine that a kills the full 2-torsion of A, which establishes 
that End (.A) is locally maximal at 2. 

Now denote by pp the factorization of 7 in Z[7r,7f] and observe that p is 
principal in Ok- We evaluate the corresponding isogeny, spending 10.9s to find 
its kernel and 1.37s to identify the isogenous variety; since it is not isomorphic 
to A we have established, in just 12.3s, that 

End(A) ~ Z[%,a/(2q)]. 

This computation is clearly intractable using previous algorithms: the full 538259- 
torsion of A is defined over an extension of degree e = 869166638466, so it would 
require a rough minimum of log(g e ) \og(q eg ) ps 2 90 operations just to find a ran- 
dom 538259-torsion point. 

7.2 Example with composite v 

For a less degenerate case, let A be the Jacobian variety of the curve with 
equation 

y 2 = x 5 + 800a; 4 + 2471a; 3 + 6695a; 2 + 1082a; + 7062 

over the field with q = 7681 elements. It takes just 60ms to compute that the 
characteristic polynomial of its Frobenius endomorphism is z 4 + 114z 3 + 7566z 2 + 
HAqz + q 2 from which it takes negligible time to derive that Z[tt,W] has index 
2 2 • 47 2 • 379 in O k . 

Again, we start by computing the endomorphism ring locally at 2 using the 
method of Eisentrager and Lauter [l3| • Only 75ms are needed to find a basis 
for the full 2-torsion (the 4-torsion is not needed) and evaluate the relevant 
endomorphism on it; this determined that End(A) contains the order O2 — 
Z[7T,7f] + 47 2 • 379 ■ Ok- Having established that, we may start Algorithm 13.31 
from the order O2 instead of Z[7r,7f]; the two orders directly above O2 have 
index 379 and 47 2 in O k . 

First consider that of index 47 2 : in just 100ms we find that ideals of norm 
3 2 have order 92 in its class group. Computing the 92 corresponding isogenics 
takes 37s, that is, 400ms on average. As the isogenous variety is not isomorphic 
to A, we deduce that End(A) is minimal locally at 47. 

Next we consider the order with index 379; after 150ms, we find that the 
ideal p 62 (ts) 2 is principal in it, where the primes appear in the splittings 3 = pp 
and 19 = rsfs. We therefore proceed to test whether the corresponding relation 
holds in A: it takes 67s on average to compute each of the two 19-isogenies, and 
400ms for each of the 3-isogenies. The isogenous variety, which is determined 
after a total of 157s, is not found to be isomorphic to A, hence we deduce that 
End(A) is the order containing Z[7T, W] with index 4. 
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Note that the full 47-torsion and full 379-torsion live over extensions of degree 
34592 and 13609890 respectively, which again makes computing End(_4) using 
previous methods quite expensive. 

This illustrates that, even when the orders in which we look for relations have 
moderate class numbers, the bottleneck of our algorithm remains the evaluation 
of isogenies. Accordingly, in both computations above, we have used a simple 
baby-step giant-step method in place of Algorithm [221 which allowed us to find 
much smaller relations and therefore to better balance the cost of evaluating 
isogenies with that of searching for relations. 

Overall, we find that our algorithm clearly outperforms previous methods as 
soon as the index [Ok '■ ^[ 7T ,^]] has prime power factors £ n for which the torsion 
points live over significant extensions of the base field, although those methods 
are still very useful to compute the endomorphism ring locally at small primes. 
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